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[57] ABSTRACT 

A message guaranty system for having a reliable third parly 
(evidence preparing server) prepare evidence information 
attesting to the transmission and reception of a message by 
a transmitting and a receiving terminal. When the transmit- 
ting terminal furnishes the target message with evidence 
information before transmitting them to the destination, the 
system attests to the transmission and reception of that 
message once they are completed. When a message is to be 
sent illustratively from a workstation (WS) 1 to a worksta- 
tion (WS) 2, the third-party evidence preparing server on the 
network first prepares transmission evidence based on a 
request from the WS 1 and sends it to the WS 1. The WS 1 
sends the message along with the evidence to the WS 2. The 
evidence preparing server then prepares reception evidence 
based on a request from an evidence verifying server (a third 
party) acting for the WS 2. The reception evidence thus 
prepared is retained by the evidence preparing server and is 
also returned to the evidence varying server. The evidence 
verifying server retains the reception evidence. When an 
application program on the WS 1 requests verification of the 
reception evidence, the evidence verifying means verifies 
the presence of the reception evidence and returns the result 
of the verification to the WS 1. 

22 Claims, 12 Drawing Sheets 
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MESSAGE GUARANTY SYSTEM is left to be resolved not by any reliable third party but only 

by the parties concerned does not make the system suitable 

BACKGROUND OF THE INVENTION for an open, distributed environment. 

The present invention relates to a message guaranty SUMMARY OF THE INVENTION 

system and, more particularly, to a message guaranty system 5 It ^ therefore an object of the present invention to 

capable of guaranteeing that messages have indeed been overcome the above and other deficiencies and disadvan- 

transmitted and received between terminals connected on a tages of the prior art and to provide a message guaranty 

network system. system having a third party intervene in the transmission and 

A number of conventional methods exist for guaranteeing reception of a message by a transmitting and a receiving 

the transmission and" reception of messages between work- 10 terminal, the system guaranteeing that every message it 

stations connected on a network system. One such method mediated was indeed transmitted by the transmitting termi- 

involves having the transmitting and receiving workstations nal and received by the receiving terminal. This invention 

each manage a message start serial number and a message differs from that of the cited reference 1 in that this invention 

end serial number which are assigned to each message sent gets a reliable third party in a neutral position to prepare 

from one side to the other. Another method requires estab- 15 evidence information regarding each message handled and 

lishing a sequence in which the receiving workstation that any dispute is resolved by the third party verifying the 

returns an acknowledgement in response to each message authenticity of the evidence information about the message 

received from the transmitting workstation. in question. 

More specifically, the former conventional method (of It is another object of the present invention to provide a 

managing message serial numbers) requires that four serial message guaranty system offering a delayed delivery service 

numbers, i.e., the message start and message end serial that takes a message from a transmitting terminal and 

assigned to each of the transmitting and receiving terminals, delivers the message to its destination on behalf of the 

coincide with one another before transmission or reception transmitting terminal, the system verifying the authenticity 

of any message. When the transmitting terminal transmits of the evidence information regarding any message so 

the message, the receiving terminal increments its message delivered which may be disputed between a plurality of 

start serial number by 1. With the message received, the terminals. When the reliable third party delivers a message 

receiving terminal increments its message start serial num- to its destination on behalf of the transmitting terminal, the 

ber by 1. The receiving terminal then processes the message. transmission and reception of the message are carried out 

With the message processing completed, the receiving ter- more securely than ever. The inventive system acting as the 

minal increments its message end serial number by 1 and thirty party effectively guarantees to any transmitting ter- 

returns an acknowledgement message to the transmitting minal both the transmission of the message in question and 

terminal. Having received the acknowledgment message, the reception thereof by the intended receiving terminal, 

the transmitting terminal increments its message end serial In achieving the foregoing and other objects of the present 

number by 1. This terminates the entire processing of 35 invention, there is provided a message guaranty system 

message transmission/reception. This kind of message serial featuring the following points: 

number management is carried out under the NIF/OSI (1) The inventive message guaranty system for use with 

(Network Interface Feature/Open Systems Interconnection) a plurality of terminals connected on a network furnishes 

protocol. If there occurs a serial number mismatch between each message sent from a transmitting to a receiving termi- 

the transmitting and the receiving terminal, an error is 4Q nal with evidence information which is prepared by a third 

suspected to have occurred in the message processing. party and which attests to the transmission and reception of 

The latter conventional method (of establishing an the message, whereby the transmission of any disputed 

acknowledgement sequence) requires that the receiving ter- message by the transmitting terminal or the reception of that 

minal must always return an acknowledgement message message by the receiving terminal is subsequently certified. 

(ACK) in response to the message sent from the transmitting 45 (2) The evidence information includes the terminal name 

terminal. The return of the ACK message is supposed to of the transmitting terminal transmitter identifier), the ter- 

guarantee an error-free message transmission. minal name of the receiving terminal (receiver identifier), 

A further method is proposed by Japanese Patent Laid- time of message transmission, and the message length, 
open No. Hei 4-227154 (cited reference 1). The proposed (3) The message guaranty system of the invention corn- 
method involves furnishing a securely managed encryption 50 prises evidence information preparing means for having a 
key and a powerful encryption algorithm whereby the trans- reliable third party prepare evidence information attesting to 
mitting terminal furnishes the target message with a token the transmission and reception of any message within the 
constituting a collection of specific information. Using the network, and evidence information converting means for 
same encryption key and algorithm, the receiving terminal converting the evidence information into an encryption 
prepares an authentication token (a collection of information 55 format or other suitable form that will thwart any unscru- 
for authentication purposes) by which the token of the pulous attempts to forge or falsify that information, 
received message is checked for authenticity. If any dispute (4) The message guaranty system of the invention 
occurs between the transmitting and receiving parties includes, within the connected network, delayed delivery 
regarding the transmission or reception of a particular means for transmitting a message to the receiving terminal 
message, the two parties alone are responsible for resolving 60 on behalf of the transmitting terminal when such transmis- 
it. sion is requested by the latter, so as to ensure more secure 

The above conventional methods are effective in detecting delivery of that message, 

mismatches in message processing but fail to provide for (5) The message guaranty system of the invention 

eventualities in which the transmitting or receiving party includes third party verification means for verifying the 

denies having transmitted or received a specific message. 65 authenticity of evidence information about a particular mes- 

Al though the system of the cited reference 1 provides high sage when such verification is requested by a plurality of 

degrees of message authentication, the fact that any dispute terminals. 
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In operation, the message guaranty system of the above FIG. 6 is a flowchart of steps constituting the process in 

constitution offers the following advantages: which to verify the evidence El attesting to the transmission 

(1) According to the invention, any message sent from the of the message Ml; 

transmitting terminal to the receiving terminal is furnished pj G 7 ^ a flowchart of steps detailing what takes place 

with evidence information which, prepared by the reliable 5 m s t e p 201 of FIG. 6; 

third party, attests to the transmission and reception of that ^ . ' . . , tU a t 

message. The highly reliable evidence information demon- ™L 8 15 a view outhmn § th * P r ° ce * s m , W , K the * ret 

strates unfailingly whether a particular message was actually embodiment prepares evidence E2 attestmg to the reception 

delivered from one party to another. This feature facilitates of tne messa S e 

the resolution of any message -related dispute between two 3Q FIG. 9 is a flowchart of steps in which to prepare the 

contending parties. evidence E2 attesting to the reception of the message Ml; 

(2) The evidence information preparing means of the FIG. 10 is a view illustrating the process in which the first 
invention prepares evidence information on the basis of such embodiment verifies the evidence E2 attesting to the recep- 
message-related information as the terminal name of the tj on 0 f the message El; 

transmitting terminal (transmitter identifier), the terminal . a , . ? 4 

- , fo . . > 1/ • • 1 '\. c v 4 . c is FIG. 11 is a flowchart of steps constituting the process in 

name of the receiving terminal (receiver identifier), time ot , . . 4 . ™ t f, r . - 

. . & ... , • f 1 « which to venfy the evidence E2 attesting to the reception of 

message transmission, and the message length. Analyzing ^ e messa e El* 

this evidence information provides a highly accurate verdict e messa § e > 

on the disputed message. FIG - 12 is a schematic diagram of a message guaranty 

(3) The evidence information converting means of the s y stem P racticed as a xcond embodiment of the invention; 
invention converts the evidence information into an encryp- FIG. 13 is a view outlining the process in which the 
tion format or other suitable form that will thwart any second embodiment prepares evidence E3 attesting to the 
malicious or unscrupulous attempts to forge or falsify that transmission of a message M2; 

information. This feature allows the inventive system to FIG. 14 is a flowchart of steps in which to prepare the 

attest to the transmission and reception of any message with 25 evidence E3 attesting to the transmission of the message 

more certainty than ever. M2; 

(4) As mentioned, any message sent from the transmitting FIG. 15 is a view illustrating the process in which the 
terminal to the receiving terminal is equipped with evidence second embodiment verifies the evidence E3 attesting to the 
information which is prepared and converted by the evi- transmission of the message M2; 

dence information preparing and converting means and 30 FIG. 16 is a flowchart of steps constituting the process in 

which attests to the transmission and reception of that which to verify the evidence E3 attesting to the transmission 

message This evidence information demonstrates whether a Q f me messa g e \|2; 

particular message was actually delivered from one party to ___ . . ' .„ t . . ,. , 4 , 

y 4 . Tf s . . . , . , r r ' FIG. 17 is a view illustrating the process in which the 

another. If more security is desired in delivering a message, , ... t * y tt . + t , 

... , , .. J c tU *■ • j . second embodiment verifies evidence E4 attesting to the 

the delayed delivery means of the invention is used to 35 . f , p - 

transmit a message along with its evidence information from rece P tlon ot ltie message \U\ 

an evidence server comprising that means directly to the FIG - 18 15 a flowchart of steps constituting the process in 

receiving terminal on behalf of the transmitting terminal. whi ch to verify the evidence E4 attesting to the reception of 

Interposed between the transmitting and the receiving tn e message M2; 

terminal, the delayed delivery means offers more secure 40 FIG. 19 is a view outlining the process in which the 
delivery of messages therebetween and directly attests to the second embodiment prepares evidence attesting to the trans- 
transmission and reception of any of the messages so mission of a message from a message control server 4 to a 
delivered. plurality of transmitting servers 40 through 42; and 

(5) If a message-related dispute occurs between a plurality FIG. 20 is a flowchart of steps constituting the process in 
of communicating terminals and if these terminals request 45 which to prepare the evidence attesting to the transmission 
verification of the evidence information regarding the dis- of a message from the message control server 4 to the 
puted message, the verification means of the invention multiple transmitting servers 40 through 42, 

verifies the authenticity of the evidence information in 

question DESCRIPTION OF THE PREFERRED 

Other objects and advantages of the invention will 50 EMBODIMENTS 

become apparent from the examination of the present dis- Preferred embodiments of the invention will now be 

closure. * described with reference to the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS F,G - 1 is a schematic diagram of a message guaranty system 

practiced as a first embodiment of the invention and includ- 

FIG. 1 is a schematic diagram of a message guaranty 55 {ng a netwQrk sygtem t In pjQ 1? the network 1 % 

system practiced as a first embodiment of the invention; connected with an evidence preparing server 2, an evidence 

FIG. 2 is a view outlining the process in which the first verifying server 3, and workstations (each called a WS) 10 

embodiment prepares evidence El attesting to the transmis- through 12, 20, and 30 through 32. The first embodiment is 

sion of a message Ml; characterized in that the servers 2 and 3 arc each constituted 

FIG. 3 is a flowchart of steps constituting the process in 60 not by any configured workstation but by a reliable third 

which to prepare the evidence El attesting to the transmis- part y. Although the first embodiment has the evidence 

sion of the message Ml; preparing server 2 and the evidence verifying serve 3 

FIG. 4 is a flowchart of steps detailing what takes place implemented separately for explanatory purposes, they may 

in step 102 of FIG, 3; be integrated in a single server unit. When an application 

FIG. 5 is a view illustrating the process in which the first 65 program (called an AP) 13 started on a WS 10 illustratively 

embodiment verifies the evidence El attesting to the trans- transmits a message Ml to an AP 21 on a WS 20, the 

mission of the message Ml; evidence preparing server 2 prepares evidence information 
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(or simply called evidence) El attesting to the transmission verification of the evidence El, the evidence verifying server 

of the message Ml from the AP 13 on the WS 10 to the AP 3 receives the message Ml and checks to see if the evidence 

21 on the WS 20. How the evidence preparing server 2 El attached to the message Ml is valid (step 201). If the 

prepares the evidence El will be described later in detail evidence El is found to be valid, the evidence verifying 

with reference to FIG. 4. 5 server 3 retains the evidence El (how to retain it is a local 

-ru uro in {l • . * * *,M *.u *u matter) and returns the result of the verification to the WS 20 

TTie WS 10 furnishes the target message Ml with the { , f ^ £1 fe found {Q be [n 

evidence El prepared by the evidence preparing «rvcr2and ^ the s ' ecurit aulhorit ^ notified thereof (step 203). 

transmits the message along with the evidence to the WS 20 ^ ^ ^ M ^ ^ { ^ 3 

(to be described later with reference to FIG. 2). . , ni . ■ . . # . • 

v 10 verifies the evidence El (i.e., step 201) is depicted in more 

The evidence verifying server 3 acts to verify the authen- detail in FIG 7 W here the evidence preparing server 2 and 
ticity of the evidence information thus prepared. Such veri- the ev idcnce verifying server 3 exist as different server units, 
fication of evidence is generally conducted in case of a it ^ neC essary to install beforehand a common encryption 
message processing discrepancy resulting in a dispute algorithm in both servers. In that case, the evidence verify- 
between, say, the WS 10 and the WS 20. It is also possible ing 3 needs t0 be supp Hed, in advance during the 
for the WS 20 to request evidence verification upon receipt proceS sing of FIG. 4, with the evidence El prepared by the 
of the message Ml along with the evidence El. One such evidence preparing server 2. The evidence verifying server 
example is that of FIG. 5, to be described later, in which the 3 checks t0 see tf conversion (i.e., decryption) of the 
AP 21 on the WS 20 requests the evidence verifying server evidence El attached to the message Ml from the WS 20 is 
3 to verify the authenticity of the evidence El. ^ requested. If such a request is found to have been made, the 

How the evidence El for the message Ml is prepared will evidence verifying server 3 decrypts the evidence El using 

now be described with reference to FIG. 2 and to the the encryption algorithm (E) (steps 2011 and 2012). The 

flowchart of FIG. 3. When the AP 13 on the WS 10 requests information contained in the decrypted evidence El is then 

the evidence preparing server 2 to prepare the evidence El analyzed and checked, using a function for verifying evi- 

for the message Ml, the server 2 checks to see if the request 25 dence information (F^ 1 ), against such items of information 

is valid (step 101). If the request is found to be valid, the as the transmitter identifier (identifying, e.g., WS 10 paired 

evidence preparing server 2 accepts the message Ml and with AP 13), the receiver identifier (identifying, e.g., WS 20 

prepares the evidence El based on the message contents paired with AP 21), the time of transmission of the message 

(step 102). The evidence preparing server 2 retains the Ml, and the length of the message Ml (step 2013). With 

evidence El thus prepared (how to retain it is a local matter) 30 these items of information verified, the evidence verifying 

and returns the same evidence to the WS 10 (step 103). If the server 3 determines whether the evidence El is valid as 

request made by the AP 13 is found to be invalid in step 101, evidence information relevant to the message Ml. At this 

that request is reported to a security authority (step 104). The point, the evidence El from the WS 20 may alternatively be 

security authority is provided on the network for the purpose checked against the evidence El received directly from the 

of having overall control on message-related problems on 35 evidence preparing server 2 (prepared in the processing of 

the network. The security authority is responsible for proper FIG. 4) for coincidence. The coincidence of the evidence 

enforcement of security-related rules and regulations (i.e., from the two different sources should enable more accurate 

security policy) within the management domain indicated in message verification. 

FIG. 1. If a security breach is detected within the manage- After step 202, the evidence verifying server 3 returns to 

ment domain (in step 101), the evidence preparing server 2 4Q lne WS 20 the result of verification of the evidence El, and 

must notify the security authority of that breach. The kind of requests the evidence preparing server 2 to prepare infor- 

security policy and the manner of implementing it, as well mation (herein called evidence E2) attesting to the reception 

as ways to analyze security breaches, are not directly rel- Q f tn e message Ml by the WS 20 from the WS 10. The 

evant to this invention and will not be discussed herein. sequence in which to request the preparation of the evidence 

The process in which the evidence preparing server 2 45 E2 is shown in FIG. 8. 

prepares the evidence El (i.e., step 102) will now be How the evidence E2 attesting to the reception of the 

described in more detail with reference to FIG. 4. The message Ml is prepared will now be described with refer- 

evidence preparing server 2 acquires from the WS 10 ence to FIGS. 8 and 9. It may happen that the system is so 

information comprising the message name, the transmitter configured that the evidence preparing server 2 and evidence 

identifier (identifying, e.g., WS 10 paired with AP 13), the 50 verifying server 3 are implemented in the same server unit, 

receiver identifier (identifying, e.g., WS 20 paired with AP In that case, all exchanges between the two servers in FIGS. 

21), the time of transmission of the message Ml (TM1), and 8 and 9 can be omitted. 

the length of the message Ml (TL1) (step 1021). The The evidence verifying server 3 first requests the evidence 

evidence El is prepared in accordance with a function (F) preparing server 2 to prepare the evidence E2 attesting to the 

for preparing evidence information based on these items of 55 reception of the message Ml by the WS 20 from the AP 13 

information, (step 1022) If it is necessary to convert the on lne WS 10 (step 301). In turn, the evidence preparing 

evidence information into an encryption format immune to server 2 prepares the evidence E2 attesting to that effect 

forgery or falsification (step 1023), the evidence preparing ( step 302). Concrete steps to prepare the evidence E2 

server 2 encrypts the evidence El using an encryption comply with the processing of FIG. 4. It should be noted that 

algorithm (E) known only to this server (step 1024). The WS 60 m p i ace 0 f TM 1 (time of transmission of the message Ml), 

10 furnishes the target message Ml with evidence El' the time at which the WS 20 received the message Ml is 

(E(E1)) prepared by the evidence preparing server 2, and designated. The evidence preparing server 2 retains the 

transmits the message Ml along with the evidence to the WS evidence E2 (how to retain it is a local matter) and returns 

20. the same evidence to the evidence verifying server 3 (step 

How the evidence El of the message Ml is verified will 65 303). The evidence verifying server 3 retains the received 

now be described with reference to FIGS. 5 and 6. In evidence E2 along with the evidence El stored previously 

response to a request by the AP 21 on the WS 20 for (step 304). 
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Although the evidence verifying server 3 requests the message control server 4. This procedure is effective where 

evidence preparing server 2 to prepare the evidence E2 in the the transmission of a message from the WS 10 to the WS 20 

above example, the AP 21 on the WS 20 may alternatively is delegated to the message control server 4 to ensure higher 

request the evidence preparing server 2 to prepare the levels of security. 

evidence E2. 5 FIG. 15 is a view illustrating the process in which the 

How to attest to the transmission and reception of a second embodiment verifies the evidence E3 attesting to the 

message will now be described with reference to FIGS. 10 transmission of the message M2. What takes place in the 

and 11. FIG. 10 is a view illustrating the process in which the setup of FIG. 15 will be described below in more detail with 

first embodiment verifies the evidence E2 attesting to the reference to the flowchart of FIG. 16. The message control 

reception of the message El. If a message processing 10 server 4 requests the evidence verifying server 3 to verify the 

discrepancy occurs and results in a dispute between the WS evidence E3 (step 601). When so requested by the message 

10 and the WS 20, the processing of FIG. 10 is generally control server 4, the evidence verifying server 3 checks to 

carried out for verification. FIG. 11 is a flowchart of steps see if the evidence E3 attached to the message M3 is valid 

corresponding to the processing of FIG. 10. Given a request (step 602). The method of verifying the evidence E3 is the 

from the AP 13 on the WS 10 for verification of the evidence 15 same as that of verifying the evidence El described with 

E2, the evidence verifying server 3 checks to see if the reference to FIG. 7 and will not be described further. If the 

request is valid (step 401). If the request is found to be valid, result of the verification is correct, the evidence verifying 

the evidence verifying server 3 receives the evidence El server 3 retains the evidence E3 and returns the result of the 

from the WS 10 and checks to see if there exists evidence E2 verification to the message control server 4 (step 603). The 

corresponding to the evidence El (step 402). The evidence 2 q message control server 4 prepares management information 

verifying server 3 then returns to the WS 10 the result of the MO for its own management, attaches the information MO 

verification attesting to the presence or the absence of the to the message M2 and transmits the same information to the 

evidence E2 (step 403). If the request is found to be invalid WS 20 (step 604). The management information MO serves 

in step 401, the security authority is notified thereof (step as evidence information attesting to the fact that the message 

404). If the result from the evidence verifying server 3 25 transmission from the WS 10 to the WS 20 is delegated to 

indicates the presence of the evidence E2 corresponding to the message control server 4. In that respect, the manage - 

the evidence El, the WS 10 knows that the WS 20 indeed ment information MO complies with the format determined 

received the message Ml. by the message control server 4. Illustratively, the informa- 

A second embodiment of the invention will now be tion includes such items as the transmitting terminal name, 

described with reference to FIGS. 12 through 20, FIG. 12 is 30 receiving terminal name, message ID, and ID of the message 

a schematic diagram of a message guaranty system practiced control server 4. Furthermore, with the message M2 deliv- 

as the second embodiment of the invention and including a ered to the WS 20, the message control server 4 prepares 

network system 1. In FIG. 12, the network 1 is connected information (called evidence E4) attesting to the reception of 

with a message control server 4, an evidence preparing the message M2 by the WS 20 from the WS 10 (step 605). 

server 2, an evidence verifying server 3, and workstations 35 Where the servers 2, 3 and 4 are separately implemented, the 

(WS) 10 through 12, 20, and 30 through 32. The second message control server 4 may get the evidence preparing 

embodiment differs from the first embodiment in that the server 2 to prepare the evidence E4. The evidence E4 thus 

second includes the message control server 4. The rest is the prepared is sent to both the message control server 4 and the 

same as the first embodiment. The message control server 4 evidence verifying server 3 for storage. On the other hand, 

provides control illustratively on the transmission and recep- 40 if the evidence verifying server 3 finds the evidence E3 

tion of messages between the AP 13 on the WS 10 and the invalid following the receipt of the request for its 

AP21ontheWS 20, on the evidence preparing server 2 and verification, the evidence verifying server 3 notifies the 

on the evidence verifying server 3. Although the second security authority thereof (step 606). 

embodiment has a plurality of servers implemented sepa- For delivery of the message from the message control 

ratcly for explanatory purposes, they may be integrated in 45 server 4 to the WS 20, the message control server 4 may 

one or two server units. additionally furnish the message with information for ascer- 

How to prepare evidence E3 for a message M2 will now taining the willingness on the part of the WS 20 to really 

be described with reference to FIGS. 13 and 14. When the perform the transaction. 

AP 13 on the WS 10 requests the evidence preparing server FIG. 17 is a view illustrating the process in which the 

2 to prepare the evidence E3 attesting to the transmission of 50 second embodiment verifies evidence E4 attesting to the 

the message M2 from the AP 13, the server 2 checks to see reception of the message E2. If a message processing 

if that request is valid (step 501). If the request is found to discrepancy occurs and results in a dispute between the WS 

be valid, the evidence preparing server 2 receives the 10 and the WS 20, the processing of FIG. 17 is carried out 

message M2 and prepares the evidence E3 based on the for verification. What takes place in the setup of FIG. 17 will 

message contents (step 502). The contents of the evidence 55 now be described in more detail with reference to the 

E3 are the same as those of the evidence El and will riot be flowchart of FIG. 18. Although the evidence verifying server 

described further. The evidence preparing server 2 retains 3 is generally responsible for this verification process, the 

the evidence E3 thus prepared and returns the same evidence message control server 4 may take over the process instead, 

to the WS 10 (step 503). Where the evidence preparing (FIGS, 17 and 18 show an example in which the message 

server 2 and the evidence verifying server 3 are separately 60 control server 4 carries out the verification process.) When 

implemented, the evidence preparing server 2 sends the the AP 13 on the WS 10 requests the evidence verifying 

evidence E3 to the evidence verifying server 3 as well. If the server 3 to verify the evidence E4, the evidence verifying 

request by the AP 13 is found to be invalid in step 501, the server 3 checks to see if that request is valid (step 701). If 

security authority is notified thereof (step 504). the request is found to be valid, the evidence verifying server 

'ITie WS 10 furnishes the message M2 with the evidence 65 3 receives the evidence E3 and verifies whether there exists 

E3 prepared by the evidence preparing server 2 and trans- evidence E4 corresponding to the evidence E3 (step 702). 

mits the message M2 along with the evidence E3 to the The result of the verification is returned to the WS 10 (step 
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703). If the request is found to be invalid in step 701, the for verifying whether particular security information is valid 

security authority is notified thereof (step 704). upon receipt of a request from either the transmitting or the 

FIG. 19 is a view outlining the process in which the receiving terminal for verification of the security informa- 

second embodiment prepares evidence attesting to the trans- { ™™ <Pe*fn. If . the f°™*° n J* f ° Und t ° 1 be 

mission of a message from the message control server 4 to 5 va id, that information is retained, and the other terminal is 

... a, u ai -ru notified of the result of the verification, 

a plurality of transmitting servers 40 through 42. The t , . 4 , 

• rnr m- *u ~ ^ fU«* «f cir 1 11 ■« . Another alternative embodiment may comprise control 

processing of FIG. 19 is the same as that or FIG. 12 in terms , ,. . t . _ ' . , r _ A \ 

. & . At _ t , j i. * means (corresponding to the message control server 4) tor 

of interposing the message control server 4 between the control v on the P exchan | esof message s between a plurality of 

transmitting and ^the receiving terminal. What makes the termina i Sj on the securit y information preparing means, and 

processing of FIG. 19 different from that of FIG. 12 is that W ^ ^ verifying means ^ ^ of contfol involved 

the former involves the use of a plurality of transmitting pertam l0 the preparation of receipt information attesting to 

servers for the actual transmission and reception of mes- me recep tion of a message by the receiving terminal, to the 

sages. The message control server 4 must prepare evidence request for the preparing means to prepare security 

information upon verifying the transmission and reception information, and to the request for the verifying means to 

of any message between these transmitting servers. What 35 verify security information and exchange-related informa- 

takes place in the setup of FIG. 19 will now be described tion. 

with reference to the flowchart of FIG. 20. The message As described, the message guaranty system according to 

control server 4 transmits to transmitting servers 4t (i=0-2) the invention offers the following advantages: 

the message M2 furnished with the evidence E3 and man- (i) According to the message guaranty system of the 

agement information MO (step 801). The transmitting serv- 20 invem i 0 n, any meS sage sent from the transmitting terminal 

ers 4t are each a server with a transmitting and receiving t o the receiving terminal is furnished with evidence infor- 

(i.e,, repeating) function and an evidence preparation and mation which, prepared by the reliable third party, attests to 

storage function. As such, the transmitting servers 4i prepare the transmission and reception of that message. The highly 

evidence Ej Q=5-l) attesting to the transmission of the reliable evidence information demonstrates unfailingly 

message and store that evidence (step 802). The evidence Ej 25 whether a particular message was actually delivered from 

thus prepared is returned to the message control server 4, one party to another, thereby guaranteeing the security of the 

and the message M2 is sent to the transmitting servers 4i +1 message in question. This feature permits accurate, 

(step 803). The message control server 4 prepares the discrepancy-free exchanges of messages between the parties 

evidence E4 based on the returned evidence Ej (step 804). concerned and facilitates the resolution of any message- 

The procedure above allows the message control server 4 to 30 related dispute therebetween. 

manage and verify in a comprehensive manner the routes ( 2 ) The evidence information preparing means of the 

through which the message M2 passed. invention prepares evidence information on the basis of such 

With the second embodiment, the transmitting terminal message -related information as the transmitter identifier, the 

requests the receiving terminal to prepare and verify the receiver identifier, the time of message transmission and the 

evidence El through evidence E3. Alternatively, the receiv- 35 message length. Analyzing this evidence information pro- 

ing terminal may request the transmitting terminal to do the vides a highly accurate verdict on the disputed message, 

same. (3) The evidence information converting means of the 

As described, the message control server 4 intervenes in invention converts the evidence information into an encryp- 

the transmission of a message from the WS 10 to the WS 20. 4Q tion format or other suitable form that will thwart any 

By way of such intervention, the message control server 4 malicious or unscrupulous attempts to forge or falsify that 

prepares evidence attesting both to the message transmission information. This feature allows the inventive system to 

from the transmitting terminal and to the message reception attest to the transmission and reception of any message with 

by the receiving terminal. This makes it impossible not only more certainty than ever. 

for the transmitting terminal to deny it ever issued the 45 (4) The delayed delivery means of the invention may be 

message M2; it also* makes it impossible for the receiving used to transmit a message along with its evidence infor- 

terminal to claim that it never received the message M2 for mation from the evidence server comprising that means 

such putative reasons as a network system error. directly to the receiving terminal on behalf of the transmit- 

The above embodiments utilize encryption in preventing ting terminal. Acting as it does, the delayed delivery means 

malicious or unscrupulous attempts to forge or falsify evi- 50 offers more secure delivery of messages between the trans- 

dence information. Alternatively, the hash function may be mitting and the receiving terminal. 

employed to provide against tampering. (5) If a message-related dispute occurs between a plurality 

The above embodiments use evidence information attest- of communicating terminals and if these terminals request 

ing to the transmission and reception of a message effected verification of the evidence information regarding the dis- 

by the transmitting and the receiving terminal (WS 10 and 55 P^ted message, the verification means of the third parts 

WS 20), respectively. An alternative embodiment may use verifies the authenticity of the evidence information in 

security information /or verifying the security of a message question. 

to be sent from the transmitting terminal to the receiving As many apparently different embodiments of this inven- 

tcrminal. In that case, the embodiment includes security tion may be made without departing from the spirit and 

information preparing means (corresponding to the evidence 60 scope thereof, it is to be understood that the invention is not 

preparing server 2) for preparing security information attest- limited to the specific embodiments thereof except as 

ing to the security of the message to be sent from the defined in the appended claims, 

transmitting terminal, the preparation being effected upon What is claimed is: 

receipt of a request for such security information. The 1. A message guaranty system connected with a plurality 

security information thus prepared is retained by the pre- 65 of terminals on a network, comprising: 

paring means, and is also transmitted to the transmitting message delivery means for delivering a message from a 

terminal. The embodiment further includes verifying means transmitting terminal to a receiving terminal; 
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evidence information preparing means for preparing by a 
third party evidence information attesting to the trans- 
mission and reception of said message and storing the 
evidence information in a first memory; and 

evidence information furnishing means for appending to 
said message delivered from said transmitting terminal 
to said receiving terminal, said evidence information 
prepared by said evidence information preparing 
means; 

means, included in said transmitting terminal, for trans- 
mitting said evidence information to said receiving 
terminal through said message delivery means; and 

evidence information verifying means for accepting from 
the receiving terminal a message containing evidence 
information received by the receiving terminal, for 
receiving from the evidence information preparing 
means and storing in a second memory the evidence 
information prepared by said evidence information 
preparing means, for comparing the evidence informa- 
tion contained in the received message with the evi- 
dence information stored in said second memory, and 
for sending to the receiving terminal, if the evidence 
information in the received message is determined to 
correspond to the evidence information stored in said 
second memory, data attesting that said received mes- 
sage is the message that was transmitted by the trans- 
mitting terminal. 

2. A message guaranty system according to claim 1, 
wherein said evidence information preparing means pre- 
pares second evidence information attesting that the mes- 
sage transmitted from the transmitting terminal was received 
in the receiving terminal; 

wherein said evidence information verifying means 
receives from said evidence information preparing 
means said second evidence information and then 
stores said second evidence information in said second 
memory in a manner so that the second evidence 
information corresponds to the evidence information 
stored therein; and 

wherein said evidence information verifying means fur- 
ther receives said evidence information from the trans- 
mitting terminal, determines whether there is stored in 
said second memory second evidence information cor- 
responding to said evidence information, and transmits 
to the transmitting terminal, if second evidence infor- 
mation corresponding to the evidence information pre- 
pared by the evidence information preparing means is 
stored in said second memory, data attesting that the 
message which was transmitted to the receiving termi- 
nal has been received in the receiving terminal. 

3. A message guaranty system according to claim 2, 
wherein, if second evidence information corresponding to 
said evidence information is not stored in said second 
memory, said evidence information verifying means notifies 
a security authority. 

4. The message quaranty system according to claim 1, 
wherein said evidence information preparing means and said 
evidence information verifying means arc integrated in a 
single integral unit. 

5. A message quaranty system according to claim 4, 
wherein said single integral unit stands as a third party on the 
same network as the transmitting and receiving terminals. 

6. A message guaranty system according to claim 1, 
wherein, if said evidence information in the message 
received by the receiving terminal is determined not to be 
equal to the evidence information transmitted by said trans- 
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mitting terminal, said evidence information verification sys- 
tem notifies a security authority. 

7. A method for communicating a message in a manner 
that will guarantee transfer of said message from a first 
workstation to a second workstation, said first and second 
workstations being connected to one another by a network, 
said method comprising the steps of: 

transmitting a first request signal from the first worksta- 
tion to a first server requesting said first server to 
prepare a first type of evidence information for identi- 
fying said message to be transmitted from the first 
workstation to the second workstation; 

generating in the first server said first type of evidence 
information based at least in part on contents of said 
message; 

storing said first type of evidence information in said first 
server; 

transmitting said first type of evidence information to a 

second server for storage therein; 
appending said first type of evidence information to said 

message; 

transmitting said message with said appended evidence 
information to the second workstation via said network; 

receiving in said second workstation a message contain- 
ing evidence information; 

sending the evidence information in the message received 
in said second workstation from said second worksta- 
tion to said second server; 

comparing in said second server the evidence information 
in said message received in said second workstation 
with the first type of evidence information stored in 
said second server; and 

sending from the second server to the second workstation, 
if the evidence information in the message received in 
said second workstation is determined to be equal to the 
first type of evidence information stored in said second 
server, data attesting that said message received in said 
second workstation is the message that was transmitted 
by said first workstation. 

8. The method recited in claim 7, further comprising the 
steps of: 

sending a second request signal from said second server 
to the first server requesting said first server to prepare 
a second type of evidence information attesting that the 
message transmitted from the first workstation was 
received in the second workstation; 

generating in said first server said second type of evidence 
information; 

storing in said first server said second type of evidence 
information; 

transmitting from said first server to said second server 
said second type of evidence information for storage in 
said second server, said second server storing said 
second type of evidence information in a manner so 
that said second type of evidence information corre- 
sponds to the first type of evidence information stored 
in said second server; 

receiving in said second server said first type of evidence 
information from the first workstation; 

determining whether said second server has stored therein 
second type of evidence information corresponding to 
said first type of information; 

transmitting from said second server to the first 
workstation, if second type of evidence information 
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corresponding to said first type of evidence information 
is stored in said second server, data attesting that the 
message which was transmitted to the second worksta- 
tion has been received in said second workstation. 

9. The method recited in claim 8, further comprising the 
step of: 

notifying a security authority if second type of evidence 
information corresponding to said first type of evidence 
information is not stored in said second server. 

10. A method as recited in claim 8, further comprising the 
step of: 

notifying a security authority if said second request signal 
is invalid. 

11. The method of claim 7, further comprising the step of: 
notifying a security authority if the evidence information 

in the message received by said second workstation is 
determined not to be equal to the first type of evidence 
information stored in said second server. 

12. The method as recited in claim 7, further comprising 
the step of: 

notifying a security authority if said first request signal is 
invalid. 

13. A system for communicating a message in a manner 
that will guarantee transfer of said message from a first 
workstation to a second workstation, comprising: 

communication means for connecting the first worksta- 
tion to the second workstation; 

first server means for generating, when requested by the 
first workstation, a first type of evidence information 
based at least in part on contents of said message, for 
storing the first type of evidence information in a first 
memory located therein, and for transmitting said first 
type of evidence information to the first workstation; 

means, included in said first workstation, for appending 
said first type «of evidence information transmitted 
thereto to said message; 

means, included in said first workstation, for transmitting 
said message with the appended evidence information 
to the second workstation via said communication 
means; and 

second server means for accepting from the second work- 
station a message containing evidence information 
which was received in the second workstation, for 
receiving from said first server means and storing in a 
second memory said first type of evidence information, 
for comparing \he evidence information contained in 
said message received in the second workstation with 
the first type of evidence information stored in said 
second memory, and for sending to the second 
workstation, if the evidence information in the message 
received in the second workstation is determined to be 
equal to the first type of evidence information, data 
attesting that said message received in the second 
workstation is the message that was transmitted by the 
first workstation. 

14. The system recited in claim 13, wherein said first 
server means prepares and then stores in said first memory 
a second type of evidence information when requested to do 
so by said second server means, said second type of evi- 
dence information attesting that the message transmitted 
from the first workstation was received in the second work- 
station; and 

wherein said second server means receives from said first 
server means said second type of evidence information 
and then stores said second type of evidence informa- 
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tion in said second memory in a manner so that the 
second type of evidence information corresponds to the 
first type of evidence information stored therein, said 
second server means then receiving said first type of 
evidence information from the first workstation, deter- 
mining whether there is stored in said second memory 
second type of evidence information corresponding to 
said first type of evidence information, and transmitting 
to the first workstation, if second type of evidence 
information corresponding to said first type of evidence 
information is stored in said second memory, data 
attesting that the message which was transmitted to the 
second workstation has been received in said second 
workstation. 

15. The system recited in claim 14, wherein the second 
server means includes means for notifying a security author- 
ity if second type of evidence information corresponding to 
said first type of evidence information is not stored in said 
second memory. 

16. The system of claim 13, wherein said second server 
means includes means for notifying a security authority if 
the evidence information in the message received by said 
second workstation is determined not to be equal to said first 
type of evidence information. 

17. The system recited in claim 13, wherein said first 
server means and said second server means are integrated in 
a single integral unit. 

18. The system recited in claim 17, wherein said single 
30 integral unit stands as a third party in relation to said first and 

second workstations. 

19. A method for communicating a message in a manner 
that will guaranty transfer of said message from a first 
workstation to a second workstation, said first and second 

35 workstations being connected to one another by a network, 
said method comprising the steps of: 

generating in a first server a first type of evidence infor- 
mation for identifying said message to be transmitted 
from the first workstation to the second workstation, 
said first type of evidence information being based at 
least in part on contents of said message; 
storing said first type of evidence information in said first 
server; 

transmitting said first type of evidence information to a 

second server for storage therein; 
appending said first type of evidence information to said 
message; 

transmitting said message with said appended evidence 
information to the second workstation via said network; 
receiving in said second workstation a message contain- 
ing evidence information; 
sending the evidence information and the message 
received in said second workstation from said second 
workstation to said second server; 
comparing in said second server the evidence information 
in said message received in said second workstation 
with the first type of evidence information stored in 
said second server; and 
sending from the second server to the second workstation, 
if the evidence information in the message received in 
said second workstation is determined to be equal to the 
first type of evidence information stored in said second 
server, data attesting that said message received in said 
second workstation is the message that was transmitted 
by said first workstation. 



40 



45 



50 



60 



65 



07/08/2004, EAST Version: 1.4.1 



6,1 

15 

20. The method recited in claim 19, further comprising the 
steps of: 

generating in said 'first server a second type of evidence 
information attesting that the message transmitted from 
the first workstation was received in the second work- 
station; 

storing in said first server said second type of evidence 
information; 

transmitting from said first server to said second server 
said second type of evidence information for storage in 
said second server, said second server storing said 
second type of evidence information in a manner so 
that said second type of evidence information corre- 
sponds to first type of evidence information stored in 
said second server; 

receiving in said second server said first type of evidence 
information from the first workstation; 

determining whether said second server has stored therein 
second type of evidence information corresponding to 
said first type of evidence information; and 
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transmitting from said second server to the first 
workstation, if second type of evidence information 
corresponding to said first type of evidence information 
is stored in said second server, data attesting that the 
5 message which was transmitted to the second worksta- 
tion has been received in the second workstation. 

21. The method recited in claim 20, further comprising the 
steps of: 

30 sending a second request signal from said second server 
to the first server requesting said first server to prepare 
said second type of evidence information. 

22. The method recited in claim 19, further comprising the 
is steps of: 

transmitting a first request signal from the first worksta- 
tion to a first server requesting said first server to 
prepare said first type of evidence information. 

20 
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